On 2016/12/23 09:28, Arnall wrote: > Hi everyone, > > i'm using a nbproc > 1 configuration for ssl offloading : > > listen web_tls > mode http > bind *:443 ssl crt whatever.pem process 2 > bind *:443 ssl crt whatever.pem process 3 > > ../.. > server web_plain u...@plain.sock send-proxy-v2-ssl > > frontend web_plain > bind *:80 process 1 > bind u...@plain.sock process 1 accept-proxy > > ../.. > > And i'm looking for a secure solution in the web_plain frontend to > know if the request come from web_tls or not ( in fact i want to know > if the connection was initially made via SSL/TLS transport ). > > I though that send-proxy-v2-ssl could help but i have no idea how ... > src and src_port are OK with the proxy protocol but ssl_fc in > web_plain keeps answering false ( 0 ) even the request come from > web_tls. > > I could set and forward a secret header set in web_tls but i don't > like the idea ... (have to change the header each time an admin sys > leave the enterprise... ) > > Thanks. > > >
This use case has come up a few times: https://www.mail-archive.com/haproxy@formilux.org/msg23882.html My crude solution is an ACL check on the port the client connected to (dst_port eq 443). -Patrick